CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.
潜在缓解措施
阶段: System Configuration
描述: Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.
阶段: Architecture and Design
描述: Do not attempt to process an error or attempt to mask it.
阶段: Implementation
描述: Verify return values are correct and do not supply sensitive information about the system.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | ASP.NET Misconfiguration: Missing Custom Error Handling | - |